Section 65B of the Indian Evidence Act, 1872 was introduced by the Information Technology Act, 2000 to address a simple but critical problem: how does a court evaluate a printout of a WhatsApp chat, a bank statement exported from a portal, or a screenshot of a conversation? These are not original documents. They are computer-generated outputs. Section 65B sets out the conditions under which such outputs are admissible as secondary evidence of the original electronic record.

Why it matters more than ever

In the 25 years since Section 65B came into force, digital evidence has moved from the periphery of litigation to its centre. Today, the most important evidence in fraud cases, matrimonial disputes, employment matters, and criminal proceedings is often digital — emails, messages, CCTV footage, GPS logs, financial transaction records.

Yet a significant proportion of cases are lost or weakened not because the underlying evidence was absent, but because it was presented incorrectly. Courts have rejected otherwise compelling digital evidence on procedural grounds, and appellate courts have consistently upheld those rejections.

The three requirements of Section 65B

For a computer output to be admissible as evidence of an electronic record, Section 65B requires that:

• The computer producing the output was used regularly in the activity in question during the period over which the record was produced.
• The computer was operating properly during that period — or if it was not, that the improper operation did not affect the accuracy of the output.
• The information in the output reproduces or is derived from information supplied to the computer in the ordinary course of those activities.

These conditions must be certified in a certificate under Section 65B(4) — signed by a responsible official of the organisation that operated the computer, or by a person occupying a responsible position in relation to its operation.

The certificate — the most commonly missed requirement

The Section 65B(4) certificate is not optional. The Supreme Court's ruling in Anvar P.V. v. P.K. Basheer (2014) made clear that a certificate is a condition precedent to the admissibility of electronic records. Without it, the evidence cannot be admitted — even if its authenticity is not disputed.

Subsequent decisions including Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal (2020) reinforced this position and clarified who may issue such a certificate. The certificate must come from a person who has control over or is responsible for the device that produced the output.

A forensic examiner is not a substitute for the Section 65B certificate. The examiner's role is to verify the integrity and authenticity of the evidence — not to certify its origin. Both are required for admissible court-ready evidence.

What a properly prepared Section 65B affidavit looks like

At SatyaDigi Forensics Limited, we prepare Section 65B affidavits as part of every engagement where digital evidence is destined for court. A properly prepared affidavit will:

• Identify the device and its responsible custodian by name, designation, and organisation.
• Confirm the device was in regular use during the relevant period.
• State that the device was functioning correctly — or qualify this with any known exceptions.
• Describe the process by which the output was generated.
• Be accompanied by a hash value (MD5 or SHA-256) of the electronic record, allowing courts to verify that the output has not been tampered with.

Common mistakes that invalidate Section 65B evidence

We see the same errors repeatedly in evidence that comes to us for review:

• Screenshots without chain of custody. A screenshot taken on a personal phone and emailed to a solicitor has no verified chain of custody and cannot be certified under 65B(4).
• Certificates signed by the wrong person. The certificate must be issued by the person responsible for the device — not the client's IT vendor, not a junior employee, not the advocate.
• Missing hash values. Without a hash value, it is impossible to prove the output has not been altered between collection and presentation.
• Downloaded bank statements. PDFs downloaded from a bank portal are computer outputs. They require a 65B certificate from the bank — not just a printout stamped by a branch manager.

The practical implication for law firms

If you are instructing a digital forensics expert, instruct them early — before the evidence is collected if possible. Forensic best practices and Section 65B compliance are most easily achieved when the examiner is involved from the outset. Retrofitting procedural compliance onto already-collected evidence is difficult and sometimes impossible.

SatyaDigi Forensics Limited works directly with advocates and law firms across India to prepare Section 65B-compliant evidence packages. If you have a matter involving digital evidence, we are available for a confidential consultation.

When a client tells you that messages were deleted, the first question to ask is: when, and from what device? The answer determines whether recovery is possible, and what that recovery will look like in evidence.

Where WhatsApp data actually lives

WhatsApp stores messages in a SQLite database on the device. On Android, this is typically located at /data/data/com.whatsapp/databases/msgstore.db. On iOS, the equivalent database is stored in the application sandbox. When a message is deleted, the database marks the record as deleted — but in most cases, the underlying data is not immediately overwritten. It remains in unallocated space within the database file until it is overwritten by new data.

WhatsApp also creates automatic backups — daily on Android to Google Drive or local storage, and to iCloud on iOS. These backups are a separate and often more reliable source of deleted messages than the device itself.

What determines recoverability

Three factors largely determine whether deleted messages can be recovered:

• Time since deletion. The longer the gap, the more likely the space has been overwritten. A message deleted this morning is far more likely to be recoverable than one deleted six months ago.
• Device usage since deletion. Heavy use of the device — installing apps, taking photos, using the phone normally — increases the risk of overwriting. The device should ideally be placed in airplane mode and handed to an examiner as quickly as possible.
• Backup availability. If a backup exists from before the deletion, recovery is almost certain. Google Drive and iCloud backups are routinely accessed in forensic examinations with appropriate authorisation.

What the tools actually do

Professional forensic tools — Cellebrite UFED and Magnet AXIOM are the two most widely used in India — extract the entire database file from the device, including unallocated space. The tools then parse the database and surface records marked as deleted. The examiner reviews these records, verifies their integrity, and prepares them for presentation.

Forensic recovery is not the same as data carving from a hard drive. WhatsApp's database structure means that even deleted records often retain metadata — timestamps, sender information, message type — even when the message body is partially or fully overwritten.

Implications for litigation

If your client has deleted messages that are relevant to a matter, do not assume they are gone. Equally, if the opposing party claims to have deleted relevant messages, a forensic examination of their device may be sought through appropriate discovery proceedings. Courts in India have increasingly granted such applications in commercial and family matters where digital evidence is central.

The key practical step is speed. Every day that passes after deletion reduces the probability of recovery. If you suspect relevant messages have been deleted, contact a forensic examiner immediately.

India's UPI ecosystem processed over 172 billion transactions in 2024, with a total value exceeding ₹246 lakh crore. It is one of the most successful financial infrastructure projects in history. It is also one of the most actively targeted by fraudsters.

The anatomy of a UPI fraud

Most UPI fraud falls into one of several patterns: social engineering (convincing a victim to approve a payment request), SIM swap attacks, QR code fraud, or identity-based account takeover. In each case, the fraud leaves a digital trail — transaction IDs, device fingerprints, IP addresses, UPI handles, and timestamps — that a forensic investigator can follow.

What a forensic reconstruction looks like

A forensic reconstruction of a UPI fraud typically begins with three data sources: the victim's device, the victim's bank records, and the NPCI transaction log. Working from these sources, the examiner traces each transaction through the payment network — identifying the destination account, the device used to receive the payment, and in many cases the physical location from which the transaction was initiated.

• Transaction ID analysis. Every UPI transaction carries a unique reference number (UTR). This can be used to trace the transaction through the banking system and identify the beneficiary account.
• Device fingerprinting. UPI apps record device information at the time of registration. If the fraudster used a different device to receive funds, this discrepancy can be identified and documented.
• Network analysis. IP addresses and cell tower data can place a device at a physical location at the time of the transaction — critical evidence when the fraud involves a known suspect.

The role of the forensic report in recovery proceedings

A well-prepared forensic report is the foundation of any recovery action. It provides the documentation required for a complaint to the cybercrime portal, a formal banking grievance, or civil proceedings against identifiable beneficiaries. Without a forensic reconstruction, recovery efforts are frequently stalled by the inability to identify the ultimate beneficiary of the fraud.

SatyaDigi Forensics Limited has assisted clients across India with UPI fraud investigations, producing forensic reports that have been used in successful recovery actions and criminal complaints. If you have been affected by UPI fraud, time is critical — contact us for an immediate consultation.

In 2024, India's Ministry of Electronics and Information Technology issued an advisory to social media platforms requiring them to detect and remove deepfake content within 24 hours of a complaint. The advisory was a formal acknowledgment of what forensic examiners had been observing for several years: AI-generated content was becoming prevalent enough to require a regulatory response.

What is a deepfake, technically speaking

The term "deepfake" has broadened beyond its original meaning — face-swapping video generated by deep learning models — to encompass any AI-generated or AI-manipulated media: synthetic voice audio, AI-generated images, manipulated video, and even AI-generated text presented as authentic communications.

Each type requires different detection techniques. Face-swap video detection looks for artefacts in facial boundaries, inconsistencies in lighting and shadow, and unnatural blinking patterns. Voice synthesis detection analyses spectral characteristics and prosody patterns that differ between human speech and synthesised audio. Image generation detection examines metadata and statistical patterns in pixel distributions.

The legal challenge

Indian courts do not yet have specific statutory guidance on the treatment of alleged deepfake evidence. The existing framework — the Information Technology Act, Section 65B of the Evidence Act, and the Indian Penal Code provisions on forgery — applies, but it was not designed for AI-generated content.

A deepfake is not a forgery in the traditional sense. It is not a modified original — it is a synthetic creation. The legal framework for forgery requires the existence of an original that has been altered. A deepfake may have no original at all.

How forensic examination works in practice

When we examine suspected deepfake content, the analysis proceeds in three stages. First, we conduct a technical examination of the file itself — metadata, compression artefacts, encoding characteristics — to establish whether the file has been altered or synthetically generated. Second, we apply AI-based detection models trained on synthetic media to identify patterns consistent with AI generation. Third, we produce a written forensic report documenting our methodology, our findings, and our confidence level.

Confidence level is important. Deepfake detection is probabilistic, not binary. A well-made deepfake may pass several detection tests. Our reports are honest about uncertainty — which is precisely what a court requires.

Practical guidance for advocates

If you are dealing with a matter in which the authenticity of video, audio, or image evidence is in question, commission a forensic examination before the hearing. Courts are increasingly willing to receive expert evidence on this issue, and a well-prepared forensic report can be decisive. Do not assume that because content looks authentic it is authentic — or vice versa.

When a company discovers that an employee may have stolen data, leaked confidential information, or sabotaged systems, the instinct is often to act immediately — to confront the employee, to demand access to their devices, to call IT and have their access revoked. These instincts are understandable. They are also, from a forensic standpoint, frequently counterproductive.

Why the first 72 hours matter

Digital evidence is volatile. It can be overwritten, deleted, encrypted, or simply lost if devices are powered off and reimaged before an examiner has had the chance to acquire forensic copies. The actions taken — or not taken — in the first three days after a suspected insider threat is identified frequently determine whether the company will ever have sufficient evidence to take action.

What to do immediately

• Do not confront the employee. A confrontation may cause the employee to delete or destroy evidence. If the matter is serious enough to involve forensic investigation, it is serious enough to manage carefully.
• Preserve, do not investigate. Your first objective is to preserve evidence in its current state. This means securing devices, preserving logs, and preventing any further data loss — not conducting your own investigation.
• Isolate without alerting. If the employee's access needs to be revoked, do it quietly and at a time that will not immediately signal to them that they are under investigation.
• Contact a forensic examiner. The sooner a forensic examiner is involved, the more evidence will be preserved. We can advise remotely on immediate preservation steps within hours of being contacted.
• Preserve cloud and network logs. Email server logs, VPN logs, cloud storage access logs, and active directory logs are often overwritten on short cycles. Request that these be preserved immediately.

What not to do

The most common mistakes we see in insider threat cases are: IT reimaging a device before a forensic copy is taken; HR conducting an interview that alerts the employee; management accessing the employee's email directly (which may constitute its own legal issue); and general inaction while the organisation deliberates about whether to investigate at all.

The question of whether to investigate can be answered later. The question of whether there will be evidence to support an investigation must be answered now.

What a forensic investigation will produce

A properly conducted insider threat investigation will produce a forensic report documenting what data was accessed, copied, or transmitted; the timeline of the employee's actions; the devices and accounts involved; and any evidence of deliberate concealment. This report is the foundation for employment action, civil proceedings, or criminal complaint.

SatyaDigi Forensics Limited responds to insider threat cases on an urgent basis. If you are dealing with a suspected insider threat right now, contact us immediately at info@satyadigi.com.

In forensic science, reproducibility is everything. A finding that cannot be independently verified is not a finding — it is a claim. The mechanism that enables reproducibility in digital forensics is the hash value, and the mechanism that preserves the integrity of the evidence from collection to court is the chain of custody. Together, they are the foundation on which all digital evidence rests.

What a hash value is and why it matters

A cryptographic hash function takes any input — a file, a drive image, a database — and produces a fixed-length output, called a hash or digest. The SHA-256 algorithm, the current standard in forensic practice, produces a 256-bit output regardless of whether the input is a 1KB text file or a 4TB hard drive image. Any change to the input — even a single bit — produces an entirely different hash.

This property — called collision resistance — means that a hash value functions as a digital fingerprint. If the SHA-256 hash of an evidence file taken at acquisition matches the hash verified at analysis and again at presentation, the file has not been altered. If the hashes differ, something has changed.

"The integrity of digital evidence depends entirely on the ability to demonstrate that it has not been modified from the point of collection to the point of presentation." — SWGDE Best Practices for Computer Forensics, Scientific Working Group on Digital Evidence.

The chain of custody — what it requires in practice

Chain of custody documentation establishes an unbroken record of who had possession of evidence, when, and in what condition. In digital forensics, a proper chain of custody log records:

• The date, time, and location of evidence acquisition
• The identity and credentials of the acquiring examiner
• The make, model, and serial number of the original device
• The hash values of the acquired forensic image (recorded immediately at acquisition)
• Every transfer of custody, with signatures from both transferring and receiving parties
• Storage conditions and access controls applied during preservation

Write blockers — the hardware that preserves evidence

When acquiring a forensic image of a storage device, the examiner must ensure that the act of connecting the device to an examination system does not modify it. Modern operating systems write to connected storage devices automatically — mounting logs, thumbnail caches, volume metadata. A single automatic write can alter the hash of the evidence and compromise its integrity.

Write blockers — hardware devices that permit read operations while preventing any write operations — are the standard solution. The use of a write blocker is documented in the acquisition log. Without it, opposing counsel has a straightforward basis to challenge the integrity of the acquired evidence.

What courts have said

Indian courts have increasingly engaged with these standards. In State (NCT of Delhi) v. Navjot Sandhu (2005), the Supreme Court considered the admissibility of call records and mobile data, establishing principles that have been cited in subsequent digital evidence cases. More recently, the Bombay and Delhi High Courts have excluded digital evidence where chain of custody documentation was incomplete or where hash verification was absent from the examiner's report.

The consistent message from these decisions is that digital evidence will be scrutinised — and that procedural gaps will be exploited by experienced defence counsel.

Practical implications for instructing solicitors

When instructing a forensic examiner, confirm that their report will include: the hash values of all acquired images, a complete chain of custody log, confirmation of write blocker use, and the examiner's professional qualifications. These are not optional extras — they are the minimum standard for evidence that will withstand challenge in court. SatyaDigi Forensics Limited provides all of these as standard in every engagement.

When a client hands over a smartphone for forensic examination, the first question is not "what data do we need?" — it is "what platform is this?" The answer determines the entire scope and methodology of the examination. iOS and Android are fundamentally different architectures with fundamentally different forensic profiles.

iOS — the Secure Enclave and what it means for examiners

Apple's Secure Enclave Processor (SEP), introduced with the iPhone 5S and present in every subsequent device, is a dedicated security subsystem physically isolated from the main application processor. It stores the device's encryption keys and processes biometric authentication. Critically, it is designed so that Apple itself cannot extract keys from it — a design decision confirmed during Apple's 2016 legal dispute with the FBI over the San Bernardino shooter's iPhone 5C.

In practical forensic terms, a locked iOS device with an unknown passcode presents a significant challenge. The encryption keys are derived from the passcode and are not accessible without it. This means that brute-force passcode attacks are the primary avenue for locked device access — and Apple's progressive lockout mechanisms (increasing delays after failed attempts, potential data wipe after 10 failures) limit this approach.

"The design of the Secure Enclave means that even sophisticated nation-state actors have faced significant difficulty extracting data from fully patched, locked iPhones." — Cellebrite UFED Technical Documentation, 2024 edition.

For unlocked iOS devices, or devices where the passcode is known, full file system extraction is possible using tools including Cellebrite UFED and Magnet AXIOM, subject to the iOS version. Each major iOS update can change what is and is not accessible.

Android — fragmentation and what it means for examiners

Android's forensic profile is the inverse of iOS in one critical respect: fragmentation. There are thousands of distinct Android device models running hundreds of different Android versions, each with varying encryption implementations, security patch levels, and manufacturer-specific modifications.

This fragmentation creates both opportunities and challenges. Older Android devices or those running unpatched software may be susceptible to extraction methods not available on iOS. Newer high-end Android devices — particularly Samsung Galaxy S series and Google Pixel devices running current Android — implement encryption and security features comparable to iOS.

Android's file system structure also differs significantly from iOS. App data locations, database formats, and backup behaviours vary by manufacturer and version. An examiner familiar with iOS extraction cannot assume that the same approach will yield the same results on an Android device.

Cloud evidence — the third option

When device-level extraction is limited by encryption, cloud evidence often provides an alternative path. iCloud backups, Google Drive, WhatsApp cloud backups, and Gmail archives frequently contain the same data that cannot be accessed on the device itself — and with appropriate legal authorisation, they can be obtained directly from the service provider.

This is not a workaround — it is standard forensic practice. The NIST Guidelines on Mobile Device Forensics (SP 800-101 Rev.1) explicitly recognises cloud acquisition as a primary evidence source alongside physical and logical device extraction.

What this means for instructing parties

When briefing a forensic examiner on a mobile device matter, provide the make, model, iOS/Android version, and whether the device is locked. This information allows the examiner to accurately scope the examination and advise on realistic recovery prospects before any work begins — avoiding the cost and delay of attempting extractions that cannot succeed.

India's Enforcement Directorate seized ₹936 crore in cryptocurrency assets in FY 2023-24 alone, reflecting both the scale of crypto fraud in India and the growing maturity of investigative techniques available to track it. Despite the pseudonymous nature of blockchain networks, cryptocurrency transactions leave a more durable and traceable record than most traditional financial instruments.

How blockchain traceability works

Every transaction on a public blockchain — Bitcoin, Ethereum, and most major cryptocurrencies — is permanently recorded on a distributed public ledger. The ledger records the sending address, receiving address, amount, timestamp, and transaction ID. This record is immutable and publicly accessible.

The pseudonymity of cryptocurrency comes from the fact that addresses are not inherently linked to real-world identities. An address is simply a cryptographic public key — a string of characters. However, addresses can be de-anonymised through a combination of blockchain analytics and off-chain intelligence.

"Contrary to popular belief, Bitcoin is not anonymous — it is pseudonymous. With sufficient analytical effort, the vast majority of Bitcoin transactions can be attributed to real-world entities." — Chainalysis 2024 Crypto Crime Report.

Blockchain analytics — how investigators trace funds

Specialist blockchain analytics platforms — including Chainalysis, Elliptic, and CipherTrace — maintain extensive databases linking blockchain addresses to known entities: cryptocurrency exchanges, darknet markets, ransomware operators, and sanctioned individuals. These databases are built through a combination of open-source intelligence, exchange data shared under legal process, and proprietary research.

The core technique is transaction graph analysis — tracing the flow of funds from the fraud address through subsequent hops to an exit point. Exit points are typically centralised exchanges where cryptocurrency is converted to fiat currency. These exchanges are required under India's PMLA (Prevention of Money Laundering Act) to conduct KYC and maintain records — which means they hold identity information that can be obtained through legal process.

Privacy coins and mixing services — the complicating factors

Monero, Zcash, and other privacy-focused cryptocurrencies use cryptographic techniques — ring signatures, zero-knowledge proofs, stealth addresses — that obscure transaction details on the public blockchain. Mixing services ("tumblers") attempt to break the transaction trail by pooling and redistributing funds through multiple intermediate addresses.

These techniques complicate but do not defeat forensic analysis. The Europol-led operation that dismantled ChipMixer in 2023 — seizing €44 million — demonstrated that even well-constructed mixing operations are not forensically impenetrable. Operational security failures by fraudsters, exchange KYC records, and IP address correlation frequently provide the intelligence needed to bridge the gap.

Admissibility of blockchain evidence in India

Blockchain transaction records qualify as electronic records under the Information Technology Act, 2000. They are admissible subject to Section 65B certification for the export or printout of the blockchain data. Blockchain analytics reports produced by forensic examiners are admissible as expert evidence under Section 45 of the Indian Evidence Act, provided the examiner can demonstrate appropriate expertise and methodology.

The ED's increasing use of blockchain forensics in enforcement actions — and the courts' acceptance of this evidence in attachment proceedings under PMLA — establishes a growing body of precedent supporting the admissibility of crypto tracing evidence in Indian courts.

In early 2024, a finance employee at a multinational company in Hong Kong transferred $25 million USD after participating in a video conference call with what appeared to be the company's CFO and other colleagues. Every person on the call except the employee was a deepfake. The incident — reported by Hong Kong police in February 2024 — represented a new threshold in the sophistication and operational deployment of synthetic media fraud.

Voice cloning specifically — the generation of synthetic speech that convincingly mimics a specific person's voice — has become accessible to non-specialists. Tools capable of producing convincing voice clones from as little as three seconds of reference audio are commercially available. The forensic science of detecting synthetic audio has had to advance accordingly.

How voice synthesis works — the technical foundation

Modern voice synthesis relies on neural text-to-speech (TTS) models, typically transformer-based architectures trained on large corpora of speech data. Given a reference audio sample, a cloning model extracts a speaker embedding — a mathematical representation of the speaker's vocal characteristics — and uses it to condition the synthesis of new speech.

The quality of modern TTS systems has improved to the point where human listeners can no longer reliably distinguish synthetic from genuine speech. A 2023 study published in PLOS ONE (Müller et al.) found that human listeners correctly identified synthetic speech only 73% of the time — barely above chance for high-quality synthesis — and that accuracy fell further when listeners were not primed to expect synthetic content.

Spectral analysis — the primary detection technique

Despite perceptual quality improvements, neural TTS systems leave characteristic artefacts in the acoustic signal that are not perceptible to human listeners but are detectable through spectral analysis. These include:

• Voicing irregularities: Synthetic voice systems often struggle with natural voicing transitions — the subtle variations in vocal fold vibration that characterise human speech. Spectrographic analysis of the fundamental frequency (F0) contour can reveal unnatural regularity or discontinuities.
• Formant structure anomalies: The resonant frequencies of the vocal tract (formants F1-F4) exhibit characteristic patterns in human speech that current synthesis models do not perfectly replicate. Formant analysis can reveal statistical deviations from the target speaker's known acoustic profile.
• Phase spectrum characteristics: Neural vocoders — the component of TTS systems that converts acoustic features to audio waveforms — introduce characteristic phase artefacts not present in natural speech.

"Automatic speaker verification systems trained specifically on anti-spoofing tasks consistently outperform human listeners in detecting synthetic speech, achieving EER (Equal Error Rate) values below 2% on standard evaluation datasets." — ASVspoof 2021 Challenge Results, IEEE/ACM Transactions on Audio, Speech, and Language Processing.

Practical detection methodology

At SatyaDigi Forensics Limited, synthetic audio analysis proceeds through three stages. First, technical metadata examination — file format, encoding parameters, and creation timestamp analysis. Second, acoustic analysis — spectrographic examination, F0 analysis, and formant structure comparison against available reference recordings of the purported speaker. Third, neural classifier analysis — submission to trained anti-spoofing models for probabilistic assessment.

As with deepfake video analysis, results are probabilistic. We report a confidence level and explain our methodology — not a binary authentic/fake determination. This approach is both scientifically honest and appropriate for expert evidence presented to a court.

Business Email Compromise (BEC) cost global organisations $2.9 billion in 2023, according to the FBI's 2023 Internet Crime Report — making it the single highest-value category of cybercrime by financial loss, ahead of ransomware, investment fraud, and all other categories. In India, BEC incidents targeting corporate treasury, vendor payment processes, and legal settlements are a growing share of high-value fraud matters.

The investigative tool most commonly underused in BEC cases is email header analysis. An email's visible header — the From, To, and Subject fields — is trivially spoofable. The technical header — the full MIME header including Received fields, Message-ID, DKIM signatures, and SPF/DMARC results — tells a forensically reliable story about where the email actually came from.

The anatomy of an email header

When an email is transmitted, each mail server it passes through prepends a Received field to the header, recording the server's identity, the IP address of the connecting server, and a timestamp. Reading from bottom to top (oldest to newest), the Received chain traces the email's path from originating server to destination inbox.

In a genuine business email, the originating IP address in the bottom-most Received field should correspond to the sending organisation's mail infrastructure — verifiable against published SPF records and DKIM signatures. In a spoofed or fraudulent email, this chain typically reveals an originating IP address unconnected to the purported sender's organisation.

DKIM, SPF, and DMARC — the authentication layer

Modern email authentication relies on three interlocking standards:

• SPF (Sender Policy Framework): Specifies which IP addresses are authorised to send email on behalf of a domain. A receiving server checks whether the sending IP is listed in the sender domain's SPF record.
• DKIM (DomainKeys Identified Mail): A cryptographic signature applied to the email by the sending server, verifiable against a public key published in the sender domain's DNS records. A valid DKIM signature confirms that the email content has not been modified in transit and was sent from a server authorised by the domain holder.
• DMARC (Domain-based Message Authentication): Builds on SPF and DKIM to specify what receiving servers should do with emails that fail authentication — reject, quarantine, or allow — and provides reporting to the domain owner.

"The vast majority of BEC emails that successfully reach victim inboxes exploit domains lacking DMARC enforcement. Domains with a DMARC policy of 'reject' are effectively immune to direct domain spoofing." — Proofpoint State of the Phish Report 2024.

What email header analysis can and cannot prove

Header analysis can prove: the originating IP address of an email, whether authentication mechanisms were present and valid, the transmission path, and timestamps at each hop. It cannot by itself prove the identity of the person who sent the email — IP addresses identify devices, not people. Attributing an IP address to an individual requires additional evidence: device logs, ISP subscriber records, or corroborating intelligence.

For court purposes, email header analysis is presented as expert evidence accompanied by a Section 65B certificate covering the email data. The combination — technical analysis with proper certification — provides a robust evidentiary foundation for BEC fraud proceedings.

RAID — Redundant Array of Independent Disks — is one of the most misunderstood technologies in enterprise IT. Designed to provide either performance benefits or fault tolerance (depending on the RAID level), it is routinely mistaken for a backup solution. It is not. When a RAID system fails catastrophically, recovery requires specialist forensic techniques that differ significantly from standard data recovery.

RAID is not a backup

RAID 1 mirrors data across two or more disks. RAID 5 distributes data and parity across three or more disks. RAID 6 extends this to tolerate two simultaneous disk failures. These configurations protect against individual hardware failures — they do not protect against accidental deletion, ransomware encryption, controller failure, or simultaneous multiple disk failure.

According to a 2023 Backblaze drive failure study, the annual failure rate for enterprise HDDs averages 1.54%. In a RAID 5 array of 8 drives, the probability of a second drive failure occurring during the rebuild period following the first failure — the "RAID 5 write hole" — is not negligible. Organisations that rely on RAID without independent backup are exposed to a well-understood and quantifiable risk.

The forensic approach to RAID recovery

When a RAID array fails and data recovery is required, the forensic approach differs from standard IT recovery in one critical respect: evidence preservation. If the failed array may be relevant to litigation — a fraud investigation, an employment dispute, a data breach — the recovery process must be conducted in a way that preserves evidential integrity.

This means imaging each individual drive before any reconstruction is attempted, using write-blocked acquisition to ensure the original drives are not modified, documenting the RAID configuration (level, stripe size, disk order, parity rotation), and performing the logical reconstruction on forensic copies rather than the originals.

RAID reconstruction — the technical challenge

Reconstructing a RAID array from failed or partially failed drives requires understanding the array's stripe configuration. Key parameters include:

• RAID level: Determines the parity scheme and the number of drives that can fail while retaining recoverability.
• Stripe size: The amount of data written to each disk before moving to the next. Typical values range from 64KB to 512KB. Incorrect stripe size identification is one of the most common causes of failed RAID reconstruction.
• Disk order: The sequence in which drives are read during reconstruction. Incorrect disk ordering produces a technically complete but logically corrupt volume.
• Parity rotation: In RAID 5 and 6, parity blocks rotate across drives in a defined pattern. The rotation scheme must be correctly identified for successful reconstruction.

Specialist tools including R-Studio, UFS Explorer, and GetDataBack support manual RAID parameter configuration and reconstruction. For complex failures or arrays with controller-specific metadata, the reconstruction may require reverse engineering the controller firmware's stripe parameters.

Ransomware and RAID — a particular challenge

Ransomware increasingly targets NAS (Network Attached Storage) and server RAID systems directly. Modern ransomware variants specifically enumerate and encrypt RAID volumes, shadow copies, and backup destinations. Recovery from ransomware-encrypted RAID requires first determining whether decryption tools are available — via resources including the No More Ransom project — before attempting file carving or partial reconstruction from unencrypted sectors.

If your organisation has experienced a RAID failure — whether from hardware failure, ransomware, or controller corruption — contact us immediately. The probability of successful recovery decreases with every subsequent read/write operation on the affected drives.

SIM swap fraud — also called SIM hijacking or SIM porting fraud — is a form of identity theft that exploits the mobile number portability system to transfer a victim's telephone number to a SIM card controlled by a fraudster. Once in possession of the victim's number, the attacker intercepts SMS-based two-factor authentication codes and gains access to banking, email, and cryptocurrency accounts.

According to the FBI's 2023 Internet Crime Report, SIM swap complaints in the US alone resulted in losses exceeding $48 million. Indian cybercrime data from the National Crime Records Bureau shows a consistent year-on-year increase in SIM swap-related financial fraud, concentrated in high-value banking and cryptocurrency theft.

The mechanics of a SIM swap attack

A successful SIM swap requires the attacker to convince the victim's mobile operator to port the number to a new SIM. This is achieved through one of three methods:

• Social engineering: The attacker contacts the operator's customer service, impersonating the victim with sufficient personal information — name, date of birth, address, account number — to pass identity verification. This information is typically obtained through prior phishing, data breaches, or open-source intelligence gathering.
• Insider access: A corrupt employee at the mobile operator processes the port without legitimate authorisation. This is more common than publicly acknowledged — India's Telecom Regulatory Authority of India (TRAI) has flagged insider-facilitated porting fraud in multiple advisories.
• Fraudulent porting documents: The attacker submits falsified documentation to initiate a legitimate port-out request through the operator's formal porting process.

The forensic trail — what is recoverable

SIM swap attacks leave evidence across multiple systems simultaneously, each independently verifiable:

• Telecom operator logs: Every port request, customer service interaction, and SIM activation is logged by the operator. These logs record the timestamp, the identity of the agent who processed the request, and the device identifiers (IMSI, ICCID) involved. These records are obtainable through legal process — a court order or FIR-based request to TRAI or the operator directly.
• Victim's device logs: The moment a SIM swap completes, the victim's device loses network registration. iOS and Android both log this event with a precise timestamp. The victim's device will show a gap in call records and SMS receipt corresponding exactly to the period of the fraud.
• Banking access logs: Fraudulent access to banking accounts following a SIM swap is preceded by authentication events — OTP requests, login attempts — that are logged by the bank's systems with IP addresses, device fingerprints, and timestamps.

"The combination of telecom porting records and banking access logs typically allows reconstruction of a SIM swap attack timeline with minute-level precision, providing courts with a clear and independently verifiable account of the fraud." — TRAI Advisory on SIM Swap Fraud Prevention, 2022.

Practical steps if you suspect a SIM swap

If a client reports sudden loss of mobile service followed by unauthorised account access, the priority actions are: contact the mobile operator immediately to reverse the port, contact all financial institutions to freeze accounts, and engage a forensic examiner to begin preserving evidence before logs are overwritten. Telecom operators in India are generally required to maintain call records for 12 months — but the clock starts from the date of the fraud, not the date of the complaint.

Location evidence from mobile devices has become one of the most commonly sought categories of forensic data in Indian litigation — appearing in criminal matters, matrimonial disputes, employment cases, and personal injury claims. Its persuasive power is high. Courts and juries find GPS coordinates and timestamped location records intuitively compelling. This makes a clear-eyed assessment of what mobile location data actually proves — and its inherent limitations — more important than ever.

The four sources of mobile location data

A modern smartphone records location data through four distinct mechanisms, each with different accuracy characteristics:

• GPS (Global Positioning System): The most accurate source, providing location to within 3–5 metres under clear sky conditions. GPS requires a line-of-sight connection to multiple satellites and is degraded indoors, in urban canyons, and in adverse weather. GPS fixes are recorded by the device's operating system and by individual apps with location permissions.
• Cell tower triangulation: The device's connection to mobile network towers is logged by both the operator and the device. Cell tower records place a device within the coverage area of the serving tower — typically a radius of several hundred metres in urban areas, several kilometres in rural areas. This is less precise than GPS but available even when GPS is disabled.
• Wi-Fi positioning: Devices scan for nearby Wi-Fi networks continuously, even when not connected. The MAC addresses of detected networks are cross-referenced against commercial databases of geolocated Wi-Fi access points. Wi-Fi positioning accuracy is typically 10–40 metres in areas with dense Wi-Fi coverage.
• App-level location logs: Navigation apps (Google Maps, Apple Maps), ride-hailing apps (Ola, Uber), food delivery, and social media platforms maintain their own location histories, often with higher temporal resolution than the OS-level location log. These are preserved both on-device and in the app provider's cloud infrastructure.

"Mobile device location data from multiple independent sources — GPS, cell tower, and Wi-Fi — when corroborated, provides location evidence with a reliability that exceeds most witness testimony." — NIST Special Publication 800-101 Rev.1, Guidelines on Mobile Device Forensics.

Critical limitations — what location data cannot prove

Three limitations of mobile location data are frequently misunderstood in legal proceedings. First, location data proves where the device was — not necessarily where its owner was. A device left in a vehicle, at an office, or with another person will record that location regardless of the owner's physical whereabouts. Second, GPS data can be spoofed using commercially available hardware. Third, timestamps in location records are set by the device clock, which may be set manually, subject to time zone errors, or deliberately manipulated.

A forensic report on location evidence must address each of these limitations explicitly — noting what corroborating evidence exists, what manipulation artefacts were or were not found, and what the data can and cannot establish. An examiner who presents location data without these qualifications is overstating the evidence.

Extraction and Section 65B certification

Location data extracted from a mobile device is an electronic record subject to Section 65B certification. The certification must cover the extraction method, the tool used, the hash values of the acquired data, and the examiner's qualifications. Location records obtained from telecom operators or app providers through legal process require a separate certification from the relevant data custodian.

Signal is routinely described as "unbreakable" by both its advocates and by parties in litigation seeking to avoid disclosure. Telegram is frequently assumed to be similarly secure. The forensic reality of both platforms is considerably more nuanced — and in practice, significant evidence is often recoverable from both, depending on how the application is configured and how the examination is conducted.

Signal — what the encryption actually protects

Signal's encryption is end-to-end and by all credible assessments robust. The Signal Protocol, developed by Open Whisper Systems, uses a combination of the Double Ratchet Algorithm and the X3DH key agreement to provide forward secrecy and break-in recovery. This means that intercepting Signal traffic in transit provides an attacker with nothing readable.

What this does not protect is the data on the device itself. Signal stores messages in a local SQLite database on both iOS and Android. On Android, this database is encrypted — but the encryption key is stored in the application's private data directory. On a rooted Android device or a device for which a full file system extraction is possible, the Signal database can be decrypted and parsed.

"Signal's security model is designed to protect against network interception and server compromise — not against physical device access by a forensic examiner with appropriate tools." — Trail of Bits, Security Audit of Signal Android, 2016 (findings remain substantially applicable to architecture).

Disappearing messages present a different challenge. If a message has been deleted from the device before the forensic examination, recovery depends on whether the database record has been overwritten — the same calculus that applies to WhatsApp deletion recovery. Messages that have disappeared from the user interface may remain in unallocated database space.

Telegram — a more complex picture

Telegram's security model differs fundamentally from Signal's and is frequently misrepresented. Standard Telegram chats are not end-to-end encrypted — they are encrypted in transit and at rest on Telegram's servers, but Telegram holds the encryption keys. This means Telegram can comply with lawful government requests for message content — and does so in appropriate circumstances.

Telegram's "Secret Chats" are end-to-end encrypted using the MTProto protocol. These chats are device-specific, not stored on Telegram's servers, and are not accessible to Telegram. However, they are stored on the device — and subject to the same device-level forensic access as Signal.

Standard (non-secret) Telegram chats are stored in a local cache on the device that is significantly easier to access than Signal's encrypted database. Forensic tools including Cellebrite UFED and Magnet AXIOM support direct Telegram database extraction and parsing on both iOS and Android.

Cloud backups — the frequently overlooked source

The most common source of Signal and Telegram message recovery in forensic practice is not device extraction — it is cloud backup. Both applications can be configured to back up locally to Google Drive (Android) or iCloud (iOS). If this setting is enabled, message histories are preserved in the backup even after deletion from the device. Cloud backup extraction, conducted with appropriate authorisation, frequently provides a more complete message history than device-level extraction alone.

The practical conclusion: when facing a matter involving encrypted messaging apps, do not assume evidence is unrecoverable. The configuration of the specific installation, the device platform, the availability of backups, and the time elapsed since any deletion are all material factors. A forensic assessment of recoverability prospects before any work begins is the appropriate first step.

Electronic discovery — the identification, preservation, collection, review, and production of electronically stored information (ESI) in the context of litigation — has transformed legal practice globally. India lacks a dedicated eDiscovery procedural framework equivalent to the US Federal Rules of Civil Procedure Rule 26 or the UK's Practice Direction 31B. This absence does not, however, exempt Indian litigants from obligations to identify and produce relevant electronic documents — and courts have increasingly penalised parties for ESI spoliation.

The legal basis for ESI production in India

The obligation to produce electronic documents derives from the same discovery provisions that govern paper documents — Order XI of the Code of Civil Procedure, 1908, as amended — read together with the Information Technology Act, 2000's provisions on electronic records. Electronic documents are documents for the purpose of CPC discovery obligations. A court order for discovery of "documents relating to" a matter encompasses emails, databases, instant messages, and other ESI as fully as physical files.

Courts have made this explicit. In Trimex International FZE v. Vedanta Aluminium Ltd. (2010), the Supreme Court admitted emails as primary evidence in a commercial dispute, establishing that electronic communications are not merely secondary evidence requiring special treatment but can constitute direct evidence of the facts they record.

The defensible collection standard

The concept of "defensible collection" — borrowed from US eDiscovery practice — refers to an ESI collection methodology that can withstand challenge by opposing counsel. A defensible collection is one where: the scope of collection was documented and rationally connected to the issues in dispute; the collection was conducted by a qualified examiner using forensically sound methods; the integrity of the collected data is verifiable through hash values; and the chain of custody is documented from collection through production.

"The standard for ESI collection is not perfection — it is reasonableness. Courts ask whether the party made a good faith, systematic effort to identify and collect relevant ESI using methods appropriate to the volume and nature of the data." — Sedona Conference Commentary on Proportionality in eDiscovery, 2017 (principles applied by reference in international commercial arbitration seated in India).

Common ESI sources in Indian corporate litigation

The most frequently relevant ESI sources in Indian commercial and employment disputes include: corporate email systems (Exchange, Google Workspace, Zoho Mail); instant messaging platforms used for business communication (WhatsApp Business, Microsoft Teams, Slack); ERP and accounting systems (SAP, Oracle, Tally); shared document repositories (SharePoint, Google Drive); and CRM systems. Each source requires a different collection methodology and presents different preservation challenges.

Litigation hold — the first obligation

When litigation is reasonably anticipated, the duty to preserve relevant ESI arises immediately. A litigation hold — a formal instruction to relevant personnel to suspend routine deletion and document retention policies for ESI potentially relevant to the anticipated proceedings — is the mechanism for meeting this obligation. Failure to issue a timely litigation hold, resulting in the destruction of relevant ESI through routine operations, is the most common source of spoliation sanctions in commercial litigation.

SatyaDigi Forensics Limited assists corporate clients with eDiscovery scoping, defensible ESI collection, and the production of Section 65B-compliant evidence packages. If your organisation is anticipating or responding to commercial litigation involving electronic documents, early engagement with a forensic examiner significantly reduces both cost and legal risk.

Employment disputes involving allegations of data theft, breach of confidentiality, non-compete violations, and unauthorised disclosure represent a growing segment of corporate forensic work in India. The increasing mobility of the workforce — combined with the ease with which large volumes of data can be transferred via USB drives, cloud uploads, and personal email — has made digital forensic evidence central to both bringing and defending these claims.

What the first 24 hours after termination actually look like — forensically

Employee offboarding is frequently a forensically critical period. The hours immediately before and after termination notification are when departing employees are most likely to transfer files, copy contact databases, and delete evidence of prior transfers. The company's response in the first 24 hours determines whether this activity will be recoverable.

Standard IT offboarding — disabling credentials, collecting devices, reimaging laptops for reuse — is forensically destructive if conducted without prior forensic preservation. A laptop reimaged 48 hours after termination may contain no recoverable evidence of files transferred in the week before departure. This is not a hypothetical risk — it is the most common reason that companies arrive at a forensic examiner with a strong suspicion of data theft but insufficient evidence to act on it.

What digital forensics can establish in employment matters

A forensic examination of a departing employee's devices and accounts can establish:

• Whether USB storage devices were connected, and when — Windows records a detailed registry entry for every USB device connected, including the device serial number and the timestamps of first and last connection.
• Which files were accessed, copied, or deleted in the period before departure — the Master File Table (MFT) on NTFS systems records access, creation, and modification timestamps for every file on the volume.
• Whether files were uploaded to personal cloud storage — cloud sync client logs (Dropbox, OneDrive, Google Drive) maintain transfer histories that persist after the sync client is uninstalled.
• Whether personal email was used to send company documents — email client artefacts, browser history, and webmail cache entries frequently reveal send activity even when the sent items folder has been cleared.

"Digital evidence of data exfiltration before resignation typically exists across multiple independent artefact types. A well-conducted forensic examination rarely relies on a single source — corroboration across USB logs, file access records, and network activity is the standard." — SANS Institute, Forensic Analysis of Employee Misconduct, 2023.

Non-compete and garden leave enforcement

Enforcing non-compete and garden leave provisions increasingly requires digital evidence — proof that the departing employee has joined a competitor, is contacting clients, or is actively working during the restriction period. Social media activity, LinkedIn updates, email metadata, and device usage patterns have all been used in Indian employment tribunal proceedings to establish breach of these obligations.

Cloud storage has fundamentally changed the forensic landscape of data exfiltration investigations. Where a departing employee previously had to physically remove files on a USB drive — leaving clear hardware artefacts — they can now upload terabytes of data to a personal OneDrive or Google Drive account from their desk without touching any removable media. The forensic challenge is real, but the evidence trail is also surprisingly durable.

What cloud sync clients leave behind on the device

Cloud storage applications — OneDrive, Google Drive (Backup and Sync / Drive for Desktop), Dropbox — maintain detailed local logs of sync activity that persist on the device even after the application is uninstalled. These logs record: file names and paths synced, timestamps of sync operations, account identifiers, and in some cases file hashes. On Windows systems, additional evidence exists in the registry, prefetch files, and the Windows Event Log.

Microsoft OneDrive's sync database, stored in a SQLite file at a predictable location in the user profile, records every file synced to the cloud with metadata including the OneDrive account email address, file hash, and sync timestamp. This database persists after the sync client is uninstalled and is recoverable through standard forensic file system analysis even after deletion, provided it has not been overwritten.

Obtaining records directly from cloud providers

Beyond device-level artefacts, cloud storage providers maintain server-side logs of account activity — uploads, downloads, sharing events, and access from different devices and IP addresses. These records are obtainable through legal process in appropriate circumstances.

Microsoft (OneDrive), Google (Drive), and Dropbox all have processes for responding to court orders and law enforcement requests from Indian authorities. For civil litigation, a Norwich Pharmacal-type application to the relevant High Court seeking disclosure orders directed at the cloud provider is the appropriate mechanism. Indian courts have granted such applications in data theft matters where the cloud provider's records were material to establishing the scope of exfiltration.

"Cloud provider access logs represent one of the most reliable sources of data exfiltration evidence — they are maintained by an independent third party, timestamped, and immune to tampering by the subject of the investigation." — Magnet Forensics, Cloud Forensics Best Practices, 2024.

Personal vs corporate cloud accounts

A key distinction in cloud forensics is between corporate-managed cloud storage (where the organisation controls the tenant and has administrative access to logs) and personal accounts (where the organisation has no direct access and must proceed via legal process). Many data exfiltration cases involve both — files first moved from the corporate OneDrive to a personal Google Drive, then accessed from a personal device. Tracing this chain requires evidence from both sources.

Accounts payable fraud — including fictitious vendor creation, invoice manipulation, and payment redirection — is among the most common and costly forms of corporate fraud globally. The Association of Certified Fraud Examiners (ACFE) 2024 Report to the Nations estimates that billing fraud accounts for 22% of occupational fraud cases, with a median loss of $150,000 per incident. In India, high-value vendor fraud regularly appears in forensic investigation mandates from both listed companies and large private enterprises.

The digital footprint of invoice fraud

Despite being designed to look like legitimate business transactions, vendor fraud leaves characteristic digital footprints across multiple systems. A forensic investigation typically examines:

• ERP system audit logs: Enterprise resource planning systems — SAP, Oracle, Microsoft Dynamics — maintain transaction logs recording who created or modified each vendor master record, invoice, and payment instruction, with timestamps and user credentials. These logs are frequently not reviewed in routine operations but provide a detailed forensic trail.
• Email metadata: The creation of fictitious vendors and the submission of fraudulent invoices involves email communication — whether between co-conspirators or with the vendor's ostensible point of contact. Email metadata (sender, recipient, timestamps, IP addresses) provides corroborating evidence of the fraud timeline.
• Document metadata: Invoice documents created or modified by the fraudster carry file metadata — creation date, modification date, author field, and last-modified-by field — that frequently contradicts the claimed provenance of the document.
• Bank payment records: RTGS, NEFT, and UPI payment records for the fraudulent transactions, correlated with the beneficiary account's KYC information, often reveal connections to the perpetrator or their associates.

"The most telling indicator of vendor fraud is frequently the gap between the ERP audit log — which records exactly who did what and when — and the authorisation trail provided by the subject employee. Discrepancies in this gap are where fraud investigations typically begin to resolve." — ACFE, Fraud Examiner's Manual, 2023 edition.

Document authenticity analysis

Forensic document analysis is a distinct but complementary discipline. PDF invoices submitted by fictitious vendors frequently betray their fraudulent origin through metadata inconsistencies — creation software not used by the purported vendor, creation dates predating the vendor relationship, author fields containing the name of the perpetrator's personal computer account. Font analysis, form field examination, and pixel-level image analysis can establish whether a document is genuine or fabricated.

India's Prevention of Money Laundering Act (PMLA) and the IPC provisions on cheating (Section 420) and forgery (Section 463-471) provide the criminal law framework for vendor fraud prosecution. A well-documented forensic report significantly accelerates the ED's or CBI's investigation when criminal referral is made.

India's Digital Personal Data Protection Act 2023 (DPDPA) received Presidential assent in August 2023 and is expected to come into full force progressively through 2024-2025. It introduces a comprehensive framework for the processing of digital personal data — including specific obligations that apply when an organisation conducts an internal investigation or commissions external forensic examination of employee data.

What the DPDPA requires in the context of investigations

The DPDPA requires that personal data be processed only for a lawful purpose with the consent of the data principal, or on one of the specified grounds that do not require consent. Section 4(1) establishes the general prohibition on processing without a lawful basis. For corporate investigations, the relevant lawful bases are:

• Legal obligation: Processing necessary to comply with a legal obligation — including a court order, regulatory requirement, or statutory duty — is permitted without individual consent.
• Legitimate uses: Section 7 lists specified legitimate uses including processing for purposes related to legal proceedings. A forensic examination conducted in connection with anticipated or actual litigation falls within this category.
• Employment context: Processing of employee data for purposes connected to employment — including investigation of misconduct — is a recognised legitimate use, subject to proportionality requirements.

"The DPDPA does not prohibit internal investigations — it requires that they be conducted with appropriate legal basis, proportionality, and data minimisation. The obligations it creates are process obligations, not prohibitions." — MeitY Discussion Paper on DPDPA Implementation, 2024.

Proportionality and data minimisation

Even where a lawful basis exists, the DPDPA's data minimisation principle requires that only the personal data necessary for the investigation purpose be collected and processed. A forensic examination of an employee device must be scoped to data relevant to the investigation — a financial fraud investigation does not justify wholesale examination of the employee's personal communications unrelated to the alleged fraud.

In practice, this means that the forensic brief should define clearly what categories of data are sought and why each category is relevant. A well-scoped brief protects the organisation from challenges to the admissibility or legality of the examination and reduces the risk of DPDPA liability.

Cross-border data transfers in forensic contexts

Where a forensic examiner is based outside India, or where examination data is processed on servers outside India, the DPDPA's cross-border transfer provisions apply. Data may be transferred to countries approved by the Central Government — a list not yet finalised as of this writing. Pending finalisation, organisations should ensure that forensic work involving personal data of Indian data principals is conducted within India wherever possible, with appropriate contractual protections where cross-border transfer is unavoidable.

SatyaDigi Forensics Limited operates exclusively within India, ensuring that all forensic work on Indian client data is conducted within the domestic regulatory framework. All engagements begin with a scope agreement that addresses DPDPA compliance requirements as a matter of standard practice.

When data is lost — whether through accidental deletion, file system corruption, partition loss, or software failure — the appropriate recovery approach depends fundamentally on the nature of the loss. Logical recovery and physical recovery are distinct disciplines addressing different categories of problem. Choosing the wrong approach wastes time and money; in the worst case, it reduces the probability of successful recovery.

Logical data recovery — what it addresses

Logical recovery addresses data loss that occurs at the software or file system level, where the underlying storage hardware is functioning correctly. Common scenarios include:

• Accidental deletion: Files deleted from the operating system are not immediately erased from the storage medium — the file system marks the space as available for reuse. Until that space is overwritten by new data, the original file content remains recoverable through logical recovery tools.
• File system corruption: Power failures, improper shutdowns, and software bugs can corrupt the file system structures — the partition table, Master Boot Record, MFT (Master File Table), or FAT — that the operating system uses to locate files. Logical recovery tools rebuild or bypass these structures to access the underlying data.
• Partition loss or reformatting: Accidental reformatting or partition deletion removes the file system metadata but leaves the data intact on the disk. Recovery scans the raw storage for file signatures and recoverable content.
• Ransomware encryption: Where a decryption tool is available, ransomware recovery is a logical operation — the encrypted data is intact and physically accessible; the challenge is cryptographic rather than mechanical.

"In the majority of data loss scenarios presented to recovery laboratories, the underlying hardware is functioning normally and the data is physically present on the storage medium. Logical recovery, applied promptly and correctly, recovers the vast majority of lost data in these cases." — Ontrack Data Recovery Industry Report, 2023.

When logical recovery is not sufficient

Logical recovery requires that the storage hardware be capable of delivering readable data to the recovery tool. When hardware failure prevents this — a failed read head, seized spindle motor, damaged PCB, or degraded NAND flash — logical tools cannot function regardless of how sophisticated they are. In these cases, physical recovery is required: cleanroom disassembly, component replacement, or direct chip-level access to recover the raw data before logical reconstruction can proceed.

The indicators that physical recovery is required include: clicking or grinding sounds from a hard drive; a drive that does not spin up or is not detected by the BIOS; a storage device that presents with I/O errors on every read operation; or flash storage that fails with controller errors. Attempting to run logical recovery tools on a physically failing drive frequently accelerates the hardware failure and reduces the probability of successful recovery.

Forensic logical recovery — the additional requirements

When logical data recovery is required in a forensic context — where recovered data may be used as evidence — the process must meet forensic standards. This means acquiring a write-blocked image of the storage device before any recovery attempt, performing recovery on the forensic copy rather than the original, documenting hash values at each stage, and maintaining chain of custody records throughout. Forensic logical recovery is therefore distinct from commercial data recovery in its procedural requirements, even when the underlying technical methods are similar.

File carving is a data recovery technique that operates directly on raw storage data — without relying on any file system metadata. It is used when the file system has been corrupted, destroyed, or deliberately wiped, and when standard file system-based recovery methods cannot locate recoverable data. It is also a foundational tool in forensic investigations where evidence has been deleted — often deliberately — and where the file system no longer references the deleted content.

The technical basis of file carving

Every file type has characteristic byte sequences — magic numbers or file signatures — at its beginning and, in many cases, its end. A JPEG image begins with the bytes FF D8 FF and ends with FF D9. A PDF begins with %PDF. A ZIP archive begins with PK. These signatures are defined by the file format specification and are consistent across all valid files of that type.

File carving tools scan a raw storage image byte by byte, searching for these known signatures. When a signature is detected, the tool attempts to recover the complete file — either by following the file format's internal structure to locate the end of the file, or by carving a fixed block of data from the signature offset.

"File carving is among the most powerful tools in the forensic examiner's arsenal precisely because it does not depend on the integrity of the file system. It operates on the raw data — and the raw data persists long after the file system metadata that referenced it has been destroyed." — Garfinkel, S., Carving Contiguous and Fragmented Files with Fast Object Validation, DFRWS 2007.

Fragmentation — the primary technical challenge

File carving is straightforward when files are stored contiguously on the storage medium — as they typically are on SSDs and less fragmented HDDs. The challenge arises with fragmented files, where the file's data is split across non-contiguous sectors of the disk. Standard header-footer carving recovers the data from the first fragment to the end marker, missing the subsequent fragments entirely and producing a corrupt or partial file.

Advanced file carving tools — including Scalpel, PhotoRec, and Autopsy's carver module — address fragmentation through fragment reassembly algorithms that use file-type-specific validation to test candidate fragment combinations. For JPEG images, for example, the tool can validate candidate reassemblies by testing whether the reassembled data decodes to a valid image. This significantly improves recovery rates on fragmented storage but increases processing time substantially.

File carving in forensic investigations

In forensic contexts, file carving is used to recover deleted files from unallocated space — the storage areas marked as available by the file system but not yet overwritten. It is also used on storage that has been subjected to low-level formatting or partition wiping, where the file system has been replaced but the underlying data has not been overwritten.

Evidence recovered through file carving is admissible in Indian courts when accompanied by proper Section 65B certification and forensic documentation. The examiner's report must document the tool used, the methodology applied, the hash values of recovered files, and the examiner's assessment of file integrity — noting cases where recovered files are incomplete or potentially corrupt due to fragmentation or partial overwriting.

File carving has been used in Indian fraud investigations to recover deleted financial records, correspondence, and documents from wiped devices — providing evidence that the subject believed was permanently destroyed. If you have a matter involving deleted or wiped storage, contact us to assess recovery prospects.